Shaping the Future of Identity

a chat with Damian Schenkelman

Editor's note: Welcome to the second edition of Identity Reimagined, and thanks for subscribing. Here on Auth0's LinkedIn page, our newsletter will focus less on product and features, more on the underlying ideas and innovations. To learn more about what we're up to on the Auth0 platform, look at the latest Zero Index newsletter, and please subscribe for our monthly developer email.

Hello friends of Auth0 -

I'd been listening regularly to Damian's engaging Authorization in Software podcast, and I thought it'd be interesting to hear from him directly about his current work with the Auth0 Lab - our all-star team of top engineers working on experimental projects at the leading edge of Identity and auth. Damian and I spoke over email and Slack, and collaborated on the selection of questions.

Q: Tell us a little about your current role: your title and the work you do at Okta. (The last time you answered this question was 2020, well before Auth0 and Okta joined forces). Can you give an updated answer? What do you work on these days?

I'm a principal architect on the Auth0 Lab team. I'm one of 5 engineers working on researching the future of identity and adjacent areas, to figure out future capabilities for Okta in the realm of developers, B2C, and B2B.

Q: What is the origin story for Auth0 Lab? How did it get started and how has it evolved or changed since Okta's acquisition of Auth0?

Originally the Lab started with Matias Woloski (Auth0 co-founder and original CTO) and a group of engineers. He covers some of the story in this video conversation.

He and the team started in mid-2018 as the "office of the CTO", working on new capabilities, and occasionally stepped in to augment and extend the work of engineering teams for some mission-critical projects.

Over time, the team evolved towards a focus on experimentation, especially on horizon 2 (emerging products that are 18+ months out). The product delivery organization kept its focus on horizon 1 (core business products that are 0-18 months out).

Q: How does innovation happen in Auth0 Lab - who do you work with, and how are projects selected??

Our goal is to ideate and validate ambitious ideas that can become either dedicated products or major features as part of the Auth0 offering. The way we work looks something like this:

• Typically, we brainstorm ideas as a team and figure out what would be a good way to approach the problem or solution.?
• Then, in parallel, we build both a proof-of-concept (PoC) as well as some (Figma) mockups to show how things will work. This makes it more concrete, as well as easy to share our vision rather than what a v0 might be. Once we have something (either a PoC or mockups ready), we share with prospects and or customers to validate, and feedback into the mockups and PoC.?
• The validation approach varies depending on the capability we're experimenting with. The PoC is useful to show working code during the validation phase. This also gets customers excited and gives us an idea of what it will take to build out the capability or feature.?
• At any given time, we? might have one or two large projects we are validating, and a few other smaller ideas in play. Some recent examples are: zanzibar.academy (explaining the Google Zanzibar paper), verifiablecredentials.dev (to learn about W3C Verifiable Credentials), ID Wallet (a toy/learning wallet devs can use to learn about Verifiable Credentials) and mdl.me (explains how the mobile Driver's License works).

Q: What products have come from the Lab, and what are you most interested in for 2024?

• Some of Auth0's anomaly detection features were built by Auth0 Lab.
• More recently, we released Fine Grained Authorization (both OpenFGA, the CNCF project and Okta FGA), based on Google's Zanzibar paper, providing authorization as a service to all developers.
• We also built the foundations for Verifiable Credentials issuance and verification, aiming to make it easy for anyone using Auth0 to issue or verify verifiable digital credentials. A W3C Verifiable Credentials and mDL verification release is in the Auth0 roadmap for the coming fiscal year.?

In 2024 we have a couple of new topics in mind:

• Making it trivial for developers using Auth0 to implement subscription and entitlement management.?
• Exploring the use of verifiable credentials for additional scenarios, like content authenticity.

Q: A big part of research involves keeping up with innovation, market trends. How do you keep up with things in the Auth space?

There are a couple of areas that I try to keep up with. It is hard. Luckily, I work with a lot of people who are interested in similar topics and we share content in Slack. Often, if I don't see an article or new standard I'll learn about it there.

These areas of interest are:

• Regulation (e.g. EU defining what identity wallets should do and how they'll work)
• Standards & protocols (I try to have a high-level idea of what is being standardized, and what the standard allows.)
• New offerings from other tech companies
• General state of the industry, startups/venture capital in particular (new ideas)

Resources include Twitter, Slack, Substack, and podcasts.?

Q: I understand the Lab is fairly geo-distributed…? What are your thoughts about making distributed teams work for the type of work you do??

We have a fairly senior team by design. Folks are in four different countries: Argentina, Uruguay, the UK, and the US (east coast). No offices.

The Lab team is experienced at building software at Auth0, and now at Okta.? They know developers, and have depth in the Identity industry, its products, platforms, and features.?

We have a check-in every two weeks where we do demos. That's sync. Everything else is async. We leave comments on docs, roughly formatted when ideating, more organized later on.

Same for the mockups: we collaborate on a design session via Zoom, then comment there async and iterate.?

Q: How do you decide when an experiment is ready to "graduate" from the Lab? Who decides? How does it work?

First, we (the team) have to feel confident that the product will be successful, and that its timing is right, before making the case that something should graduate. For instance, with FGA, we knew early on it was going to be big and the timing was right based on customer feedback, and the ways we could use it ourselves.

For verifiable credentials (VCs), we spent some time researching in 2021 and 2022, and then we waited. We did not feel it was right yet. We think VCs will be big, but for us in 2021 it was not the right time to figure out what to build. The tech and the industry were not ready. In 2022 we built a PoC using draft OID4VC (OpenID for Verifiable Credentials) standards. Building on top of the OIDC drafts was a bet for us, but seems to have been right so far. We liked what the PoC allowed devs to do, but the timing was still not right to have it graduate. Then, in 2023, we saw a big rise in government interest and we started advocating for its graduation internally. Auth0 decided to include credential verification in the upcoming 2024 (FY 25) roadmap.

To have initiatives graduate, we write a document making their business case, including recommendations on how we think the organization will be able to build it. We then discuss with Customer Identity Cloud leadership (President, CTO, SVP of Product), and decide how to move forward with knowledge transfer and all the other major handoffs.

We're excited about what's ahead for the Auth0 Lab in 2024. To keep up with our experiments and releases, you can follow the Auth0 Lab page here on LinkedIn, or join us on the Auth0 Lab discord. We'll also be sharing updates @auth0lab, on X (formerly Twitter). Stay in touch!?

News & resources from Auth0 and friends

Here's a quick update and pointers to content created by Auth0's developer advocates, with guidance for developers who are implementing identity for their company, organization, startup, or student project.

?? This -> Did you know about the Vittorio Bertocci Award, announced earlier this month by the Digital Identity Foundation? It honors Vittorio's legacy by inspiring and supporting the next generation of identity experts who will shape the foundation of digital identity.?

?? A couple of useful new videos:?

How machine to machine auth works - Will Johnson describes how to use the client credentials?grant for machine-to-machine authorization.

And Matt Raible shows you how to configure and run a Spring Boot and Angular CRUD app that's secured with OpenID Connect in Building a CRUD app with Spring Boot and Angular.

Got questions or comments? Let us know what you think. Gently please. Stay safe out there.

Warm regards,

Havi Hoffman

Auth0 DevRel team?